refactor: rip out multi-tenancy, vibe_erp is now single-tenant per instance

Design change: vibe_erp deliberately does NOT support multiple companies in one process. Each running instance serves exactly one company against an isolated Postgres database. Hosting many customers means provisioning many independent instances, not multiplexing them. Why: most ERP/EBC customers will not accept a SaaS where their data shares a database with other companies. The single-tenant-per-instance model is what the user actually wants the product to look like, and it dramatically simplifies the framework. What changed: - CLAUDE.md guardrail #5 rewritten from "multi-tenant from day one" to "single-tenant per instance, isolated database" - api.v1: removed TenantId value class entirely; removed tenantId from Entity, AuditedEntity, Principal, DomainEvent, RequestContext, TaskContext, IdentityApi.UserRef, Repository - platform-persistence: deleted TenantContext, HibernateTenantResolver, TenantAwareJpaTransactionManager, TenancyJpaConfiguration; removed @TenantId and tenant_id column from AuditedJpaEntity - platform-bootstrap: deleted TenantResolutionFilter; dropped vibeerp.instance.mode and default-tenant from properties; added vibeerp.instance.company-name; added VibeErpApplication @EnableJpaRepositories and @EntityScan so PBC repositories outside the main package are wired; added GlobalExceptionHandler that maps IllegalArgumentException → 400 and NoSuchElementException → 404 (RFC 7807 ProblemDetail) - pbc-identity: removed tenant_id from User, repository, controller, DTOs, IdentityApiAdapter; updated UserService duplicate-username message and the matching test - distribution: dropped multiTenancy=DISCRIMINATOR and tenant_identifier_resolver from application.yaml; configured Spring Boot mainClass on the springBoot extension (not just bootJar) so bootRun works - Liquibase: rewrote platform-init changelog to drop platform__tenant and the tenant_id columns on every metadata__* table; rewrote pbc-identity init to drop tenant_id columns, the (tenant_id, *) composite indexes, and the per-table RLS policies - IdentifiersTest replaced with Id<T> tests since the TenantId tests no longer apply Verified end-to-end against a real Postgres via docker-compose: POST /api/v1/identity/users → 201 Created GET /api/v1/identity/users → list works GET /api/v1/identity/users/X → fetch by id works POST duplicate username → 400 Bad Request (was 500) PATCH bogus id → 404 Not Found (was 500) PATCH alice → 200 OK DELETE alice → 204, alice now disabled All 18 unit tests pass.

refactor: rip out multi-tenancy, vibe_erp is now single-tenant per instance
Design change: vibe_erp deliberately does NOT support multiple companies in one process. Each running instance serves exactly one company against an isolated Postgres database. Hosting many customers means provisioning many independent instances, not multiplexing them. Why: most ERP/EBC customers will not accept a SaaS where their data shares a database with other companies. The single-tenant-per-instance model is what the user actually wants the product to look like, and it dramatically simplifies the framework. What changed: - CLAUDE.md guardrail #5 rewritten from "multi-tenant from day one" to "single-tenant per instance, isolated database" - api.v1: removed TenantId value class entirely; removed tenantId from Entity, AuditedEntity, Principal, DomainEvent, RequestContext, TaskContext, IdentityApi.UserRef, Repository - platform-persistence: deleted TenantContext, HibernateTenantResolver, TenantAwareJpaTransactionManager, TenancyJpaConfiguration; removed @TenantId and tenant_id column from AuditedJpaEntity - platform-bootstrap: deleted TenantResolutionFilter; dropped vibeerp.instance.mode and default-tenant from properties; added vibeerp.instance.company-name; added VibeErpApplication @EnableJpaRepositories and @EntityScan so PBC repositories outside the main package are wired; added GlobalExceptionHandler that maps IllegalArgumentException → 400 and NoSuchElementException → 404 (RFC 7807 ProblemDetail) - pbc-identity: removed tenant_id from User, repository, controller, DTOs, IdentityApiAdapter; updated UserService duplicate-username message and the matching test - distribution: dropped multiTenancy=DISCRIMINATOR and tenant_identifier_resolver from application.yaml; configured Spring Boot mainClass on the springBoot extension (not just bootJar) so bootRun works - Liquibase: rewrote platform-init changelog to drop platform__tenant and the tenant_id columns on every metadata__* table; rewrote pbc-identity init to drop tenant_id columns, the (tenant_id, *) composite indexes, and the per-table RLS policies - IdentifiersTest replaced with Id<T> tests since the TenantId tests no longer apply Verified end-to-end against a real Postgres via docker-compose: POST /api/v1/identity/users → 201 Created GET /api/v1/identity/users → list works GET /api/v1/identity/users/X → fetch by id works POST duplicate username → 400 Bad Request (was 500) PATCH bogus id → 404 Not Found (was 500) PATCH alice → 200 OK DELETE alice → 204, alice now disabled All 18 unit tests pass.
vibe_erp
1 parent 28e1aa38
Showing 29 changed files with 353 additions and 717 deletions
CLAUDE.md
api/api-v1/src/main/kotlin/org/vibeerp/api/v1/core/Identifiers.kt
api/api-v1/src/main/kotlin/org/vibeerp/api/v1/entity/Entity.kt
api/api-v1/src/main/kotlin/org/vibeerp/api/v1/event/DomainEvent.kt
api/api-v1/src/main/kotlin/org/vibeerp/api/v1/ext/identity/IdentityApi.kt
api/api-v1/src/main/kotlin/org/vibeerp/api/v1/http/RequestContext.kt
api/api-v1/src/main/kotlin/org/vibeerp/api/v1/persistence/Repository.kt
api/api-v1/src/main/kotlin/org/vibeerp/api/v1/security/Principal.kt
api/api-v1/src/main/kotlin/org/vibeerp/api/v1/workflow/TaskHandler.kt
api/api-v1/src/test/kotlin/org/vibeerp/api/v1/core/IdentifiersTest.kt
distribution/build.gradle.kts
distribution/src/main/resources/application.yaml
distribution/src/main/resources/db/changelog/pbc-identity/001-identity-init.xml
distribution/src/main/resources/db/changelog/platform/000-platform-init.xml
local-vibeerp/config/vibe-erp.yaml
pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/application/UserService.kt
pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/domain/User.kt
pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/ext/IdentityApiAdapter.kt
pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/http/UserController.kt
pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/infrastructure/UserJpaRepository.kt
@@ -19,7 +19,7 @@ These rules exist because the whole point of the project is reusability across c
 2. **Workflows are data, not code.** State machines, approval chains, document routing, and form definitions must be declarative (config / DB / DSL) so a new customer can be onboarded by editing definitions, not by editing source.
 3. **Extensibility seams come first.** Before adding any feature, identify the extension point (hook, plug-in interface, event, custom field, scripting hook) it should hang off of. If no seam exists yet, design the seam first, then implement the reference customer's behavior on top of it.
 4. **The reference customer is a test, not a requirement.** When implementing something inspired by `raw/业务流程设计文档/`, ask: "Could a different printing shop with different rules also be expressed here without code changes?" If no, redesign.
-5. **Multi-tenant from day one in spirit.** Even if deployment is single-tenant, data models and APIs should not assume one company, one workflow, or one form layout.
+5. **Single-tenant per instance, isolated database.** vibe_erp is deliberately NOT multi-tenant. One running instance serves exactly one company against an isolated Postgres database. Hosting many customers means provisioning many independent instances (each with its own DB), not multiplexing them in one process. There are no `tenant_id` columns, no row-level tenant filtering, no Row-Level Security, no `TenantContext`, and no per-request tenant resolution anywhere in the framework. Customer isolation is a deployment concern, not a code concern. Data models and APIs may freely assume "one company, one process, one DB" — but they must still allow per-customer customization through configuration, plug-ins, and metadata so the SAME image runs for any customer.
 6. **Global / i18n from day one.** This codebase is the foundation of an ERP/EBC product intended to be sold worldwide. No hard-coded user-facing strings, no hard-coded currency, date format, time zone, number format, address shape, tax model, or language. All such concerns must go through localization, formatting, and configuration layers — even in the very first prototype. The reference docs being in Chinese does **not** mean Chinese is the primary or default locale; it is just one supported locale among many.
 7. **Clean Core.** Borrowed from SAP S/4HANA's vocabulary: extensions **never modify the core**. The core is stable, generic, and upgrade-safe; everything customer-specific lives in plug-ins or in metadata rows. Extensions are graded A/B/C/D by upgrade safety:
    - **A** = Tier-1 metadata only (custom fields, forms, workflows, rules) — always upgrade-safe
@@ -55,7 +55,7 @@ The architecture has been brainstormed, validated against 2026 ERP/EBC SOTA, and
 - **Backend:** Kotlin on the JVM, Spring Boot, single fat-JAR / single Docker image
 - **Workflow engine:** Embedded Flowable (BPMN 2.0)
 - **Persistence:** PostgreSQL (the only mandatory external dependency)
-- **Multi-tenancy:** row-level `tenant_id` + Postgres Row-Level Security (defense in depth, same code path for self-host and hosted)
+- **Multi-tenancy:** intentionally none. Single-tenant per instance, one isolated Postgres database per customer (see guardrail #5)
 - **Custom fields:** JSONB `ext` column on every business table, described by `metadata__custom_field` rows; GIN-indexed
 - **Plug-in framework:** PF4J + Spring Boot child contexts (classloader isolation per plug-in)
 - **i18n:** ICU MessageFormat (ICU4J) + Spring `MessageSource`
@@ -6,10 +6,12 @@ import java.util.UUID
  * Strongly-typed identifier wrapping a UUID.
  *
  * Using `Id<User>` instead of raw `UUID` everywhere prevents the classic
- * mistake of passing a tenant id where a user id was expected — the compiler
- * catches it. The wrapper is a value class so it has zero runtime overhead.
+ * mistake of passing one entity's id where another was expected — the
+ * compiler catches it. The wrapper is a value class so it has zero
+ * runtime overhead.
  *
- * @param T phantom type parameter that names what kind of entity this id refers to.
+ * @param T phantom type parameter that names what kind of entity this id
+ *   refers to.
  */
 @JvmInline
 value class Id<T>(val value: UUID) {
@@ -20,27 +22,3 @@ value class Id&lt;T&gt;(val value: UUID) {
         fun <T> random(): Id<T> = Id(UUID.randomUUID())
     }
 }
-
-/**
- * A tenant identifier.
- *
- * Self-hosted single-customer deployments use a single tenant whose id is the
- * literal string "default". Hosted multi-tenant deployments have one [TenantId]
- * per customer organization.
- */
-@JvmInline
-value class TenantId(val value: String) {
-    init {
-        require(value.isNotBlank()) { "TenantId must not be blank" }
-        require(value.length <= 64) { "TenantId must be at most 64 characters" }
-        require(value.all { it.isLetterOrDigit() || it == '-' || it == '_' }) {
-            "TenantId may only contain letters, digits, '-', or '_' (got '$value')"
-        }
-    }
-
-    override fun toString(): String = value
-
-    companion object {
-        val DEFAULT = TenantId("default")
-    }
-}
 package org.vibeerp.api.v1.entity
 import org.vibeerp.api.v1.core.Id
-import org.vibeerp.api.v1.core.TenantId
 /**
  * Marker interface for every domain entity that lives in the vibe_erp data model.
  *
  * Why this exists at all:
- *  - It enforces, at the type level, that every entity carries a tenant id.
- *    Multi-tenancy is an architectural guardrail (CLAUDE.md #5) and the cheapest
- *    place to enforce it is the type system. A repository signature like
- *    `Repository<T : Entity>` cannot be instantiated for a type that "forgot"
- *    its tenant id.
- *  - It gives the runtime a single hook for tenant filtering, JSONB `ext`
- *    handling, and audit interception without each PBC reinventing it.
+ *  - It gives the runtime a single hook for JSONB `ext` handling, audit
+ *    interception, and metadata-driven custom fields without each PBC
+ *    reinventing it.
  *  - It is intentionally minimal: no equality, no hashCode, no lifecycle
  *    callbacks. Those are concerns of `platform.persistence`, not the public
  *    contract. Adding them later is a breaking change; leaving them out is not.
  *
+ * **Single-tenant per instance.** vibe_erp is deliberately single-tenant per
+ * deployment: one running instance serves exactly one company against an
+ * isolated database. There is no `tenantId` field on this interface and no
+ * tenant filtering anywhere in the framework. Hosting many customers means
+ * provisioning many independent instances, not multiplexing them in one
+ * process. See CLAUDE.md guardrail #5 for the rationale.
+ *
  * Plug-ins implement this on their own data classes. They never see the
  * underlying JPA `@Entity` annotation — that lives in the platform's internal
  * mapping layer.
@@ -25,7 +27,6 @@ import org.vibeerp.api.v1.core.TenantId
  * ```
  * data class Plate(
  *     override val id: Id<Plate>,
- *     override val tenantId: TenantId,
  *     val gauge: Quantity,
  * ) : Entity
  * ```
@@ -39,12 +40,4 @@ interface Entity {
      * parameter to themselves.
      */
     val id: Id<*>
-
-    /**
-     * The tenant that owns this row. Required on every business entity, even in
-     * single-tenant self-hosted deployments (where the value is
-     * [TenantId.DEFAULT]) — there is intentionally one code path for both
-     * deployment shapes.
-     */
-    val tenantId: TenantId
 }
 package org.vibeerp.api.v1.event
 import org.vibeerp.api.v1.core.Id
-import org.vibeerp.api.v1.core.TenantId
 import java.time.Instant
 /**
@@ -12,21 +11,23 @@ import java.time.Instant
  *    other only through events or through `api.v1.ext.<pbc>` interfaces. If
  *    events were untyped, every consumer would have to know every producer's
  *    class, which is exactly the coupling we are trying to avoid.
- *  - The standard envelope (`eventId`, `tenantId`, `occurredAt`,
- *    `aggregateType`, `aggregateId`) is what the platform's outbox table,
- *    audit log, and future Kafka/NATS bridge all rely on. Plug-ins that
- *    forget any of these fields cannot misroute or replay events.
+ *  - The standard envelope (`eventId`, `occurredAt`, `aggregateType`,
+ *    `aggregateId`) is what the platform's outbox table, audit log, and
+ *    future Kafka/NATS bridge all rely on. Plug-ins that forget any of these
+ *    fields cannot misroute or replay events.
+ *
+ * **No tenant id.** vibe_erp is single-tenant per instance — the entire
+ * process belongs to one company — so events do not need to carry a tenant
+ * discriminator. The hosting environment (Postgres database, Kafka cluster,
+ * future event archive) is itself per-instance.
  *
  * Note that this is `interface`, not `sealed interface`: plug-ins must be
  * free to *extend* the hierarchy with their own concrete event classes.
- * "Sealed" here means "every plug-in event must extend this sealed envelope",
- * not "the set of envelope shapes is closed". A truly closed hierarchy would
- * make plug-ins impossible.
+ * A truly closed hierarchy would make plug-ins impossible.
  *
  * ```
  * data class PlateApproved(
  *     override val eventId: Id<DomainEvent> = Id.random(),
- *     override val tenantId: TenantId,
  *     override val occurredAt: Instant = Instant.now(),
  *     val plateId: Id<*>,
  * ) : DomainEvent {
@@ -40,9 +41,6 @@ interface DomainEvent {
     /** Unique id for this event instance. Used for idempotent consumer logic and outbox dedup. */
     val eventId: Id<DomainEvent>
-    /** Tenant the event belongs to. Carried explicitly because background consumers run outside any HTTP request. */
-    val tenantId: TenantId
-
     /** When the event occurred (UTC). Set by the producer, not by the bus, so replays preserve original timing. */
     val occurredAt: Instant
 package org.vibeerp.api.v1.ext.identity
 import org.vibeerp.api.v1.core.Id
-import org.vibeerp.api.v1.core.TenantId
 import org.vibeerp.api.v1.security.PrincipalId
 /**
@@ -26,9 +25,9 @@ import org.vibeerp.api.v1.security.PrincipalId
 interface IdentityApi {
     /**
-     * Look up a user by their unique username within the current tenant.
-     * Returns `null` when no such user exists or when the calling principal
-     * lacks permission to read user records.
+     * Look up a user by their unique username. Returns `null` when no such
+     * user exists or when the calling principal lacks permission to read
+     * user records.
      */
     fun findUserByUsername(username: String): UserRef?
@@ -50,8 +49,7 @@ interface IdentityApi {
  * a deliberate api.v1 change and triggers a security review.
  *
  * @property id Stable user id.
- * @property username Login handle. Unique within [tenantId].
- * @property tenantId Owning tenant.
+ * @property username Login handle. Unique across the instance.
  * @property displayName Human-readable name for UI rendering. Falls back to
  *   [username] when the user has not set one.
  * @property enabled Whether the account is active. A disabled user can still
@@ -61,7 +59,6 @@ interface IdentityApi {
 data class UserRef(
     val id: Id<UserRef>,
     val username: String,
-    val tenantId: TenantId,
     val displayName: String,
     val enabled: Boolean,
 )
 package org.vibeerp.api.v1.http
-import org.vibeerp.api.v1.core.TenantId
 import org.vibeerp.api.v1.security.Principal
 import java.util.Locale
@@ -13,10 +12,15 @@ import java.util.Locale
  *    inside api.v1 would have to bridge classloaders to find the host's
  *    state. An injected context is cleaner, testable, and forces the
  *    plug-in author to declare a dependency on the values they use.
- *  - It is the single answer to "who, where, when, which language, which
- *    request" that every other api.v1 surface (permission check, translator,
+ *  - It is the single answer to "who, when, which language, which request"
+ *    that every other api.v1 surface (permission check, translator,
  *    repository, event bus) consults under the covers.
  *
+ * **No tenant id.** vibe_erp is single-tenant per instance — the entire
+ * process belongs to one company — so the request context does not need to
+ * carry a tenant. The instance's company identity comes from configuration
+ * (`vibeerp.instance.company-name`) and is global to the process.
+ *
  * The host provides one [RequestContext] per HTTP request and per workflow
  * task execution. Background jobs receive a context whose [principal] is a
  * [org.vibeerp.api.v1.security.Principal.System] and whose [requestId] is
@@ -27,14 +31,6 @@ interface RequestContext {
     /** The authenticated caller. Never `null`; anonymous endpoints get a system principal. */
     fun principal(): Principal
-    /**
-     * The tenant the request is operating in. Always equal to
-     * `principal().tenantId` in normal flows, but separated for clarity in
-     * "act as" / impersonation scenarios where the two could legitimately
-     * differ.
-     */
-    fun tenantId(): TenantId
-
     /** The resolved request locale. Same value [org.vibeerp.api.v1.i18n.LocaleProvider.current] would return. */
     fun locale(): Locale
@@ -4,20 +4,21 @@ import org.vibeerp.api.v1.core.Id
 import org.vibeerp.api.v1.entity.Entity
 /**
- * Generic, tenant-scoped repository contract for any [Entity].
+ * Generic repository contract for any [Entity].
  *
  * Why this lives in api.v1:
  *  - Plug-ins must be able to persist their own entities without depending on
  *    Spring Data, JPA, or any platform internal class. The platform binds this
  *    interface to a Hibernate-backed implementation per entity at startup.
- *  - It is the cleanest place to enforce the tenant guarantee: **none of these
- *    methods accept a `tenantId`**. The tenant is resolved from the ambient
- *    [org.vibeerp.api.v1.http.RequestContext] (or, in background jobs, from the
- *    job's tenant binding) by the platform. A plug-in cannot read or write
- *    cross-tenant data through this contract — that is the whole point.
  *  - It is generic on `T : Entity` so the type system rejects "wrong-entity"
  *    mistakes at compile time.
  *
+ * **Single-tenant per instance.** vibe_erp does no tenant filtering anywhere
+ * in the framework — the entire process serves one company against one
+ * isolated database. Customer isolation happens at the *deployment* level
+ * (one running instance per customer), not at the row level. See CLAUDE.md
+ * guardrail #5.
+ *
  * Methods are deliberately few. Anything more sophisticated (joins,
  * projections, native SQL) is a smell at this layer — model the use case as a
  * domain service or a query object instead. Adding methods later (with default
@@ -26,9 +27,7 @@ import org.vibeerp.api.v1.entity.Entity
 interface Repository<T : Entity> {
     /**
-     * Find by primary key. Returns `null` when no row exists for the current
-     * tenant — even if a row with that id exists for *another* tenant. Cross-
-     * tenant reads are unobservable through this API.
+     * Find by primary key. Returns `null` when no row exists.
      */
     fun findById(id: Id<T>): T?
 package org.vibeerp.api.v1.security
 import org.vibeerp.api.v1.core.Id
-import org.vibeerp.api.v1.core.TenantId
 /**
  * Type alias for a principal identifier.
  *
- * Distinct phantom-typed alias of [Id] so signatures like `createdBy: PrincipalId`
- * are self-documenting in IDE hovers and so the compiler refuses to mix a
- * `PrincipalId` with, say, an `Id<Order>`.
+ * Distinct phantom-typed alias of [Id] so signatures like
+ * `createdBy: PrincipalId` are self-documenting in IDE hovers and so the
+ * compiler refuses to mix a `PrincipalId` with, say, an `Id<Order>`.
  */
 typealias PrincipalId = Id<Principal>
@@ -28,6 +27,12 @@ typealias PrincipalId = Id&lt;Principal&gt;
  *    plug-in-to-plug-in calls and for bookkeeping rows the plug-in writes
  *    without a user request (e.g. a periodic sync from an external system).
  *
+ * **Single-tenant per instance.** Principals do NOT carry a tenant id —
+ * the entire vibe_erp instance is owned by exactly one company, so there
+ * is no tenant for the principal to belong to. The company identity comes
+ * from configuration (`vibeerp.instance.company-name`) and is the same for
+ * every principal in the process.
+ *
  * Sealed because the framework needs to switch on the full set in audit and
  * permission code; new principal kinds are deliberate api.v1 changes.
  */
@@ -37,20 +42,11 @@ sealed interface Principal {
     val id: PrincipalId
     /**
-     * The tenant the principal is acting in. A [User] always has one. A
-     * [System] principal uses [TenantId.DEFAULT] for global jobs and a
-     * specific tenant for per-tenant jobs. A [PluginPrincipal] uses the
-     * tenant of the operation it is performing.
-     */
-    val tenantId: TenantId
-
-    /**
      * A real human user (or an AI agent acting on a human's behalf, which the
      * framework intentionally does not distinguish at the principal level).
      */
     data class User(
         override val id: PrincipalId,
-        override val tenantId: TenantId,
         val username: String,
     ) : Principal {
         init {
@@ -64,7 +60,6 @@ sealed interface Principal {
      */
     data class System(
         override val id: PrincipalId,
-        override val tenantId: TenantId,
         val name: String,
     ) : Principal {
         init {
@@ -75,7 +70,6 @@ sealed interface Principal {
     /** A plug-in acting under its own identity. */
     data class PluginPrincipal(
         override val id: PrincipalId,
-        override val tenantId: TenantId,
         val pluginId: String,
     ) : Principal {
         init {
 package org.vibeerp.api.v1.workflow
-import org.vibeerp.api.v1.core.TenantId
 import org.vibeerp.api.v1.security.Principal
 import java.util.Locale
@@ -71,17 +70,6 @@ interface TaskContext {
     fun set(name: String, value: Any?)
     /**
-     * Owning tenant of the workflow instance this task belongs to.
-     *
-     * Workflow tasks do NOT run inside an HTTP request, so the usual
-     * `RequestContext` injection is unavailable. The platform binds the
-     * task's tenant context for the duration of [TaskHandler.execute] and
-     * exposes it here so handlers can pass tenant-aware calls back into
-     * api.v1 services.
-     */
-    fun tenantId(): TenantId
-
-    /**
      * The principal whose action triggered this task instance. For
      * automatically scheduled tasks (timer-driven, signal-driven), this
      * is a system principal — never null.
@@ -3,40 +3,46 @@ package org.vibeerp.api.v1.core
 import assertk.assertFailure
 import assertk.assertThat
 import assertk.assertions.isEqualTo
+import assertk.assertions.isNotEqualTo
 import org.junit.jupiter.api.Test
+import java.util.UUID
+/** Phantom-typed [Id] sanity checks. */
 class IdentifiersTest {
-    @Test
-    fun `TenantId rejects blank`() {
-        assertFailure { TenantId("") }
-        assertFailure { TenantId("   ") }
-    }
+    private class Foo
+    private class Bar
     @Test
-    fun `TenantId rejects too-long values`() {
-        val tooLong = "a".repeat(65)
-        assertFailure { TenantId(tooLong) }
+    fun `Id of valid uuid string round-trips`() {
+        val raw = "11111111-2222-3333-4444-555555555555"
+        val id: Id<Foo> = Id.of(raw)
+        assertThat(id.value).isEqualTo(UUID.fromString(raw))
+        assertThat(id.toString()).isEqualTo(raw)
     }
     @Test
-    fun `TenantId rejects invalid characters`() {
-        assertFailure { TenantId("acme corp") } // space
-        assertFailure { TenantId("acme.corp") } // dot
-        assertFailure { TenantId("acme/corp") } // slash
-        assertFailure { TenantId("acme!") }     // punctuation
+    fun `Id of invalid uuid string fails`() {
+        assertFailure { Id.of<Foo>("not-a-uuid") }
     }
     @Test
-    fun `TenantId accepts the default tenant id`() {
-        assertThat(TenantId("default").value).isEqualTo("default")
-        assertThat(TenantId.DEFAULT.value).isEqualTo("default")
+    fun `Id random produces distinct ids`() {
+        val a = Id.random<Foo>()
+        val b = Id.random<Foo>()
+        assertThat(a).isNotEqualTo(b)
     }
     @Test
-    fun `TenantId accepts hyphens digits and underscores`() {
-        assertThat(TenantId("tenant-1").value).isEqualTo("tenant-1")
-        assertThat(TenantId("acme_2").value).isEqualTo("acme_2")
-        assertThat(TenantId("ACME").value).isEqualTo("ACME")
+    fun `Id of two different phantom types are still equal when their UUIDs match`() {
+        // The phantom parameter is erased at runtime; equality is by UUID.
+        // This test exists to document that the type-safety of `Id<T>` is a
+        // *compile-time* guarantee, not a runtime one. The compiler refuses
+        // to mix `Id<Foo>` with `Id<Bar>`, but reflection or unchecked casts
+        // can still smuggle them — value classes do not box at runtime.
+        val uuid = UUID.randomUUID()
+        val a = Id<Foo>(uuid)
+        val b = Id<Bar>(uuid)
+        assertThat(a.value).isEqualTo(b.value)
     }
 }
@@ -37,10 +37,17 @@ dependencies {
     testImplementation(libs.spring.boot.starter.test)
 }
+// Configure Spring Boot's main class once, on the `springBoot` extension.
+// This is the only place that drives BOTH bootJar and bootRun — setting
+// mainClass on `tasks.bootJar` alone leaves `bootRun` unable to resolve
+// the entry point because :distribution has no Kotlin sources of its own.
+springBoot {
+    mainClass.set("org.vibeerp.platform.bootstrap.VibeErpApplicationKt")
+}
+
 // The fat-jar produced here is what the Dockerfile copies into the
 // runtime image as /app/vibe-erp.jar.
 tasks.bootJar {
-    mainClass.set("org.vibeerp.platform.bootstrap.VibeErpApplicationKt")
     archiveFileName.set("vibe-erp.jar")
 }
@@ -8,6 +8,10 @@
 # Customer overrides live in /opt/vibe-erp/config/vibe-erp.yaml on the
 # mounted volume. Plug-in configuration lives in metadata__plugin_config,
 # never here.
+#
+# vibe_erp is single-tenant per instance: one running process serves
+# exactly one company against an isolated database. There is no
+# multi-tenancy configuration here, by design.
 spring:
   application:
@@ -22,18 +26,6 @@ spring:
     hibernate:
       ddl-auto: validate
     open-in-view: false
-    # Multi-tenant wall #1 (the application-layer wall):
-    # Hibernate's DISCRIMINATOR strategy means every query and every save
-    # is automatically filtered/written with the tenant id from
-    # `HibernateTenantResolver`, which reads `TenantContext` (set per-request
-    # by `TenantResolutionFilter`). Wall #2 — Postgres Row-Level Security —
-    # is enforced by the `RlsTransactionHook` (planned: implementation-plan
-    # P1.1) once it lands. Both walls are required by CLAUDE.md guardrail #5;
-    # disabling either is a release-blocker.
-    properties:
-      hibernate:
-        tenant_identifier_resolver: org.vibeerp.platform.persistence.tenancy.HibernateTenantResolver
-        multiTenancy: DISCRIMINATOR
   liquibase:
     change-log: classpath:db/changelog/master.xml
@@ -49,8 +41,11 @@ management:
 vibeerp:
   instance:
-    mode: ${VIBEERP_INSTANCE_MODE:self-hosted}
-    default-tenant: ${VIBEERP_DEFAULT_TENANT:default}
+    # Display name of the company that owns this instance. Shown in branding,
+    # report headers, and audit logs. There is exactly ONE company per
+    # running instance — provisioning a second customer means deploying a
+    # second instance with its own database.
+    company-name: ${VIBEERP_COMPANY_NAME:vibe_erp instance}
   plugins:
     directory: ${VIBEERP_PLUGINS_DIR:/opt/vibe-erp/plugins}
     auto-load: true
@@ -9,23 +9,17 @@
         Owns: identity__user, identity__role, identity__user_role.
+        vibe_erp is single-tenant per instance: one running process serves
+        exactly one company against an isolated database. There are no
+        tenant_id columns and no Row-Level Security policies on these
+        tables — customer isolation happens at the deployment level.
+
         Conventions enforced for every business table in vibe_erp:
           • UUID primary key
-          • tenant_id varchar(64) NOT NULL
           • Audit columns: created_at, created_by, updated_at, updated_by
           • Optimistic-locking version column
           • ext jsonb NOT NULL DEFAULT '{}' for key-user custom fields
           • GIN index on ext for fast custom-field queries
-          • Composite index on (tenant_id, ...) for tenant-scoped lookups
-          • Postgres Row-Level Security enabled, with a simple per-tenant
-            policy bound to the GUC `vibeerp.current_tenant` set by the
-            platform on every transaction (see TODO below)
-
-        TODO(v0.2): the platform's `RlsTransactionHook` is not yet
-        implemented, so the RLS policy in this file uses
-        `current_setting('vibeerp.current_tenant', true)` and is enabled
-        but not yet enforced (NO FORCE). When the hook lands, change to
-        FORCE ROW LEVEL SECURITY in a follow-up changeset.
     -->
     <changeSet id="identity-init-001" author="vibe_erp">
@@ -33,7 +27,6 @@
         <sql>
             CREATE TABLE identity__user (
                 id           uuid PRIMARY KEY,
-                tenant_id    varchar(64)  NOT NULL,
                 username     varchar(128) NOT NULL,
                 display_name varchar(256) NOT NULL,
                 email        varchar(320),
@@ -45,8 +38,8 @@
                 updated_by   varchar(128) NOT NULL,
                 version      bigint       NOT NULL DEFAULT 0
             );
-            CREATE UNIQUE INDEX identity__user_tenant_username_uk
-                ON identity__user (tenant_id, username);
+            CREATE UNIQUE INDEX identity__user_username_uk
+                ON identity__user (username);
             CREATE INDEX identity__user_ext_gin
                 ON identity__user USING GIN (ext jsonb_path_ops);
         </sql>
@@ -56,24 +49,10 @@
     </changeSet>
     <changeSet id="identity-init-002" author="vibe_erp">
-        <comment>Enable Row-Level Security on identity__user (advisory until RlsTransactionHook lands)</comment>
-        <sql>
-            ALTER TABLE identity__user ENABLE ROW LEVEL SECURITY;
-            CREATE POLICY identity__user_tenant_isolation ON identity__user
-                USING (tenant_id = current_setting('vibeerp.current_tenant', true));
-        </sql>
-        <rollback>
-            DROP POLICY IF EXISTS identity__user_tenant_isolation ON identity__user;
-            ALTER TABLE identity__user DISABLE ROW LEVEL SECURITY;
-        </rollback>
-    </changeSet>
-
-    <changeSet id="identity-init-003" author="vibe_erp">
         <comment>Create identity__role table</comment>
         <sql>
             CREATE TABLE identity__role (
                 id           uuid PRIMARY KEY,
-                tenant_id    varchar(64)  NOT NULL,
                 code         varchar(64)  NOT NULL,
                 name         varchar(256) NOT NULL,
                 description  text,
@@ -84,25 +63,21 @@
                 updated_by   varchar(128) NOT NULL,
                 version      bigint       NOT NULL DEFAULT 0
             );
-            CREATE UNIQUE INDEX identity__role_tenant_code_uk
-                ON identity__role (tenant_id, code);
+            CREATE UNIQUE INDEX identity__role_code_uk
+                ON identity__role (code);
             CREATE INDEX identity__role_ext_gin
                 ON identity__role USING GIN (ext jsonb_path_ops);
-            ALTER TABLE identity__role ENABLE ROW LEVEL SECURITY;
-            CREATE POLICY identity__role_tenant_isolation ON identity__role
-                USING (tenant_id = current_setting('vibeerp.current_tenant', true));
         </sql>
         <rollback>
             DROP TABLE identity__role;
         </rollback>
     </changeSet>
-    <changeSet id="identity-init-004" author="vibe_erp">
+    <changeSet id="identity-init-003" author="vibe_erp">
         <comment>Create identity__user_role join table</comment>
         <sql>
             CREATE TABLE identity__user_role (
                 id           uuid PRIMARY KEY,
-                tenant_id    varchar(64)  NOT NULL,
                 user_id      uuid         NOT NULL REFERENCES identity__user(id) ON DELETE CASCADE,
                 role_id      uuid         NOT NULL REFERENCES identity__role(id) ON DELETE CASCADE,
                 created_at   timestamptz  NOT NULL,
@@ -112,10 +87,7 @@
                 version      bigint       NOT NULL DEFAULT 0
             );
             CREATE UNIQUE INDEX identity__user_role_uk
-                ON identity__user_role (tenant_id, user_id, role_id);
-            ALTER TABLE identity__user_role ENABLE ROW LEVEL SECURITY;
-            CREATE POLICY identity__user_role_tenant_isolation ON identity__user_role
-                USING (tenant_id = current_setting('vibeerp.current_tenant', true));
+                ON identity__user_role (user_id, role_id);
         </sql>
         <rollback>
             DROP TABLE identity__user_role;
@@ -2,410 +2,219 @@
 <!--
   vibe_erp — platform init changelog.
-  Creates the cross-cutting platform tables: a tenant table, an audit
-  table, and the metadata__* registry tables described in architecture
-  spec section 8 ("The metadata store").
+  Creates the cross-cutting platform tables: an audit log and the
+  metadata__* registry tables described in architecture spec section 8
+  ("The metadata store").
-  These are intentionally minimal v0.1 stubs: id + tenant_id + source +
-  timestamps + (where useful) a payload jsonb. Real columns are added by
-  later changesets in the PBCs that own them. pbc-identity owns the User
+  These are intentionally minimal v0.1 stubs: id + source + timestamps
+  + (where useful) a payload jsonb. Real columns are added by later
+  changesets in the PBCs that own them. pbc-identity owns the User
   schema and ships its own changelog.
-  NOTE: Postgres Row-Level Security policies are NOT enabled here. RLS
-  policies are added in a dedicated changeset in the v1.0 cut, so that
-  they can be authored alongside the application-level @TenantId filter
-  (architecture spec section 8 — "Tenant isolation"). The build pattern
-  for that changeset will mirror the changesets below.
+  vibe_erp is single-tenant per instance: one running process serves
+  exactly one company against an isolated database. There are no
+  tenant_id columns and no Row-Level Security policies anywhere in
+  this changelog — customer isolation happens at the deployment level
+  (one running instance per customer).
 -->
 <databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
                                        https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.27.xsd">
-    <!-- ─── platform__tenant ─────────────────────────────────────────── -->
-    <changeSet id="platform-init-001" author="vibe_erp">
-        <createTable tableName="platform__tenant">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-        </createTable>
-        <rollback>
-            <dropTable tableName="platform__tenant"/>
-        </rollback>
-    </changeSet>
-
     <!-- ─── platform__audit ──────────────────────────────────────────── -->
-    <changeSet id="platform-init-002" author="vibe_erp">
+    <changeSet id="platform-init-001" author="vibe_erp">
         <createTable tableName="platform__audit">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <rollback>
-            <dropTable tableName="platform__audit"/>
-        </rollback>
+        <createIndex tableName="platform__audit" indexName="platform__audit_source_idx">
+            <column name="source"/>
+        </createIndex>
+        <rollback><dropTable tableName="platform__audit"/></rollback>
     </changeSet>
     <!-- ─── metadata__entity ─────────────────────────────────────────── -->
-    <changeSet id="platform-init-003" author="vibe_erp">
+    <changeSet id="platform-init-002" author="vibe_erp">
         <createTable tableName="metadata__entity">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__entity" indexName="idx_metadata__entity__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__entity" indexName="metadata__entity_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__entity"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__entity"/></rollback>
     </changeSet>
     <!-- ─── metadata__custom_field ───────────────────────────────────── -->
-    <changeSet id="platform-init-004" author="vibe_erp">
+    <changeSet id="platform-init-003" author="vibe_erp">
         <createTable tableName="metadata__custom_field">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__custom_field" indexName="idx_metadata__custom_field__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__custom_field" indexName="metadata__custom_field_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__custom_field"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__custom_field"/></rollback>
     </changeSet>
     <!-- ─── metadata__form ───────────────────────────────────────────── -->
-    <changeSet id="platform-init-005" author="vibe_erp">
+    <changeSet id="platform-init-004" author="vibe_erp">
         <createTable tableName="metadata__form">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+        </createTable>
+        <createIndex tableName="metadata__form" indexName="metadata__form_source_idx">
+            <column name="source"/>
+        </createIndex>
+        <rollback><dropTable tableName="metadata__form"/></rollback>
+    </changeSet>
+
+    <!-- ─── metadata__list_view ──────────────────────────────────────── -->
+    <changeSet id="platform-init-005" author="vibe_erp">
+        <createTable tableName="metadata__list_view">
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__form" indexName="idx_metadata__form__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__list_view" indexName="metadata__list_view_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__form"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__list_view"/></rollback>
     </changeSet>
     <!-- ─── metadata__workflow ───────────────────────────────────────── -->
     <changeSet id="platform-init-006" author="vibe_erp">
         <createTable tableName="metadata__workflow">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__workflow" indexName="idx_metadata__workflow__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__workflow" indexName="metadata__workflow_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__workflow"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__workflow"/></rollback>
     </changeSet>
     <!-- ─── metadata__rule ───────────────────────────────────────────── -->
     <changeSet id="platform-init-007" author="vibe_erp">
         <createTable tableName="metadata__rule">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__rule" indexName="idx_metadata__rule__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__rule" indexName="metadata__rule_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__rule"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__rule"/></rollback>
     </changeSet>
     <!-- ─── metadata__permission ─────────────────────────────────────── -->
     <changeSet id="platform-init-008" author="vibe_erp">
         <createTable tableName="metadata__permission">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__permission" indexName="idx_metadata__permission__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__permission" indexName="metadata__permission_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__permission"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__permission"/></rollback>
     </changeSet>
     <!-- ─── metadata__role_permission ────────────────────────────────── -->
     <changeSet id="platform-init-009" author="vibe_erp">
         <createTable tableName="metadata__role_permission">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__role_permission" indexName="idx_metadata__role_permission__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__role_permission" indexName="metadata__role_permission_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__role_permission"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__role_permission"/></rollback>
     </changeSet>
     <!-- ─── metadata__menu ───────────────────────────────────────────── -->
     <changeSet id="platform-init-010" author="vibe_erp">
         <createTable tableName="metadata__menu">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__menu" indexName="idx_metadata__menu__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__menu" indexName="metadata__menu_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__menu"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__menu"/></rollback>
     </changeSet>
     <!-- ─── metadata__report ─────────────────────────────────────────── -->
     <changeSet id="platform-init-011" author="vibe_erp">
         <createTable tableName="metadata__report">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__report" indexName="idx_metadata__report__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__report" indexName="metadata__report_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__report"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__report"/></rollback>
     </changeSet>
     <!-- ─── metadata__translation ────────────────────────────────────── -->
     <changeSet id="platform-init-012" author="vibe_erp">
         <createTable tableName="metadata__translation">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__translation" indexName="idx_metadata__translation__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__translation" indexName="metadata__translation_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__translation"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__translation"/></rollback>
     </changeSet>
     <!-- ─── metadata__plugin_config ──────────────────────────────────── -->
     <changeSet id="platform-init-013" author="vibe_erp">
         <createTable tableName="metadata__plugin_config">
-            <column name="id" type="uuid">
-                <constraints primaryKey="true" nullable="false"/>
-            </column>
-            <column name="tenant_id" type="varchar(64)">
-                <constraints nullable="false"/>
-            </column>
-            <column name="source" type="varchar(32)" defaultValue="core">
-                <constraints nullable="false"/>
-            </column>
-            <column name="payload" type="jsonb" defaultValueComputed="'{}'::jsonb">
-                <constraints nullable="false"/>
-            </column>
-            <column name="created_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
-            <column name="updated_at" type="timestamptz" defaultValueComputed="now()">
-                <constraints nullable="false"/>
-            </column>
+            <column name="id" type="uuid"><constraints primaryKey="true" nullable="false"/></column>
+            <column name="source" type="varchar(32)" defaultValue="core"><constraints nullable="false"/></column>
+            <column name="payload" type="jsonb"/>
+            <column name="created_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
+            <column name="updated_at" type="timestamptz" defaultValueComputed="now()"><constraints nullable="false"/></column>
         </createTable>
-        <createIndex tableName="metadata__plugin_config" indexName="idx_metadata__plugin_config__tenant_source">
-            <column name="tenant_id"/>
+        <createIndex tableName="metadata__plugin_config" indexName="metadata__plugin_config_source_idx">
             <column name="source"/>
         </createIndex>
-        <rollback>
-            <dropTable tableName="metadata__plugin_config"/>
-        </rollback>
+        <rollback><dropTable tableName="metadata__plugin_config"/></rollback>
     </changeSet>
 </databaseChangeLog>
@@ -6,8 +6,11 @@
 # operators can copy it as a starting point for a real deployment.
 instance:
-  mode: self-hosted
-  default-tenant: default
+  # Display name of the company that owns this instance.
+  # vibe_erp is single-tenant per instance: one running process serves
+  # exactly one company against an isolated database. Provisioning a
+  # second customer means deploying a second instance.
+  company-name: Acme Printing Co.
 database:
   url: jdbc:postgresql://db:5432/vibeerp
@@ -32,7 +32,7 @@ class UserService(
     fun create(command: CreateUserCommand): User {
         require(!users.existsByUsername(command.username)) {
-            "username '${command.username}' is already taken in this tenant"
+            "username '${command.username}' is already taken"
         }
         val user = User(
             username = command.username,
@@ -2,7 +2,6 @@ package org.vibeerp.pbc.identity.domain
 import jakarta.persistence.Column
 import jakarta.persistence.Entity
-import jakarta.persistence.Id
 import jakarta.persistence.Table
 import org.hibernate.annotations.JdbcTypeCode
 import org.hibernate.type.SqlTypes
@@ -17,9 +16,12 @@ import org.vibeerp.platform.persistence.audit.AuditedJpaEntity
  * This is the entire point of the modular monolith — PBCs get power, plug-ins
  * get safety.
  *
- * Multi-tenancy: `tenant_id` and audit columns come from [AuditedJpaEntity]
- * and are filled in by the platform's JPA listener. PBC code never writes
- * to those columns directly.
+ * Audit columns come from [AuditedJpaEntity] and are filled in by the
+ * platform's JPA listener. PBC code never writes to them directly.
+ *
+ * vibe_erp is single-tenant per instance — the entire database belongs to one
+ * company — so there is no `tenant_id` column on this entity and no tenant
+ * filtering anywhere in this PBC.
  *
  * Custom fields: the `ext` JSONB column is the metadata-driven custom-field
  * store (architecture spec section 8). A key user can add fields to this
@@ -58,5 +60,5 @@ class User(
     var ext: String = "{}"
     override fun toString(): String =
-        "User(id=$id, tenantId=$tenantId, username='$username')"
+        "User(id=$id, username='$username')"
 }
@@ -3,7 +3,6 @@ package org.vibeerp.pbc.identity.ext
 import org.springframework.stereotype.Component
 import org.springframework.transaction.annotation.Transactional
 import org.vibeerp.api.v1.core.Id
-import org.vibeerp.api.v1.core.TenantId
 import org.vibeerp.api.v1.ext.identity.IdentityApi
 import org.vibeerp.api.v1.ext.identity.UserRef
 import org.vibeerp.api.v1.security.PrincipalId
@@ -21,7 +20,6 @@ import org.vibeerp.pbc.identity.infrastructure.UserJpaRepository
  *
  * **What this adapter MUST NOT do:**
  *   • leak `org.vibeerp.pbc.identity.domain.User` to callers
- *   • bypass tenant filtering (caller's tenant context is honored automatically)
  *   • return PII fields that aren't already on `UserRef`
  *
  * If a caller needs more fields, the answer is to grow `UserRef` deliberately
@@ -42,7 +40,6 @@ class IdentityApiAdapter(
     private fun User.toRef(): UserRef = UserRef(
         id = Id<UserRef>(this.id),
         username = this.username,
-        tenantId = TenantId(this.tenantId),
         displayName = this.displayName,
         enabled = this.enabled,
     )
@@ -29,12 +29,13 @@ import java.util.UUID
  * PBC, and so plug-in endpoints (which mount under `/api/v1/plugins/...`)
  * cannot collide with core endpoints.
  *
- * Tenant id is bound automatically by `TenantResolutionFilter` upstream of
- * this controller — there is no `tenantId` parameter on any endpoint and
- * there never will be. Cross-tenant access is impossible by construction.
+ * vibe_erp is single-tenant per instance — the entire process serves one
+ * company against an isolated database — so this controller does no tenant
+ * filtering and exposes no `tenantId` parameter. Customer isolation happens
+ * at the deployment level (one running instance per customer).
  *
  * Authentication is deferred to v0.2 (pbc-identity's auth flow). For v0.1
- * the controller answers any request that gets past the tenant filter.
+ * the controller answers any request.
  */
 @RestController
 @RequestMapping("/api/v1/identity/users")
@@ -102,7 +103,6 @@ data class UpdateUserRequest(
 data class UserResponse(
     val id: UUID,
-    val tenantId: String,
     val username: String,
     val displayName: String,
     val email: String?,
@@ -111,7 +111,6 @@ data class UserResponse(
 private fun User.toResponse() = UserResponse(
     id = this.id,
-    tenantId = this.tenantId,
     username = this.username,
     displayName = this.displayName,
     email = this.email,
@@ -8,14 +8,11 @@ import java.util.UUID
 /**
  * Spring Data JPA repository for [User].
  *
- * Tenant filtering happens automatically: Hibernate's
- * [org.vibeerp.platform.persistence.tenancy.HibernateTenantResolver] sees the
- * tenant from `TenantContext` and adds the discriminator predicate to every
- * generated query. Code in this file never writes `WHERE tenant_id = ?`.
- *
- * The Postgres Row-Level Security policy on `identity__user` is the second
- * wall — even if Hibernate's filter were misconfigured, the database would
- * still refuse to return cross-tenant rows.
+ * vibe_erp is single-tenant per instance — the entire database belongs to
+ * one company — so this repository does no tenant filtering. Querying for a
+ * user gives back the row if it exists, regardless of who is asking.
+ * Customer isolation happens at the *deployment* level: each customer gets
+ * their own running instance and their own Postgres database.
  */
 @Repository
 interface UserJpaRepository : JpaRepository<User, UUID> {
@@ -53,7 +53,7 @@ class UserServiceTest {
             )
         }
             .isInstanceOf(IllegalArgumentException::class)
-            .hasMessage("username 'alice' is already taken in this tenant")
+            .hasMessage("username 'alice' is already taken")
     }
     @Test
@@ -21,13 +21,13 @@ kotlin {
 dependencies {
     api(project(":api:api-v1"))
-    api(project(":platform:platform-persistence")) // for TenantContext used by the HTTP filter
     implementation(libs.kotlin.stdlib)
     implementation(libs.kotlin.reflect)
     implementation(libs.jackson.module.kotlin)
     implementation(libs.spring.boot.starter)
     implementation(libs.spring.boot.starter.web)
+    implementation(libs.spring.boot.starter.data.jpa) // for @EnableJpaRepositories on VibeErpApplication
     implementation(libs.spring.boot.starter.validation)
     implementation(libs.spring.boot.starter.actuator)
 package org.vibeerp.platform.bootstrap
 import org.springframework.boot.autoconfigure.SpringBootApplication
+import org.springframework.boot.autoconfigure.domain.EntityScan
 import org.springframework.boot.context.properties.ConfigurationPropertiesScan
 import org.springframework.boot.runApplication
 import org.springframework.context.annotation.ComponentScan
+import org.springframework.data.jpa.repository.config.EnableJpaRepositories
 /**
  * Entry point for the vibe_erp framework.
@@ -13,8 +15,13 @@ import org.springframework.context.annotation.ComponentScan
  *   • all core PBCs that have been registered as Gradle dependencies of :distribution
  *   • the plug-in loader, which scans an external `./plugins/` directory
  *
- * The package scan is anchored at `org.vibeerp` so every PBC and platform module
- * is picked up by Spring as long as its Kotlin packages live under that root.
+ * **The four `@*Scan` annotations are critical for modular monolith setups.**
+ * Spring Boot's defaults only scan the main application's own package
+ * (`org.vibeerp.platform.bootstrap`), but every PBC lives in its own package
+ * (`org.vibeerp.pbc.identity`, `org.vibeerp.pbc.catalog`, …). Without the
+ * explicit `org.vibeerp` root, Spring would refuse to wire PBC repositories
+ * and entities at startup. PBCs are added by listing them in
+ * `:distribution`'s build.gradle.kts, not by editing this file.
  *
  * **What does NOT live in this process:**
  *   • the React web client (separate build, served by reverse proxy)
@@ -24,6 +31,8 @@ import org.springframework.context.annotation.ComponentScan
 @SpringBootApplication
 @ComponentScan(basePackages = ["org.vibeerp"])
 @ConfigurationPropertiesScan(basePackages = ["org.vibeerp"])
+@EnableJpaRepositories(basePackages = ["org.vibeerp"])
+@EntityScan(basePackages = ["org.vibeerp"])
 class VibeErpApplication
 fun main(args: Array<String>) {
@@ -9,7 +9,7 @@ import java.util.Locale
  *
  * The set of keys here is **closed and documented**: plug-ins do NOT extend
  * this tree. Per-plug-in configuration lives in the `metadata__plugin_config`
- * table, where it is tenant-scoped and editable in the UI.
+ * table, editable through the web UI.
  *
  * Reference: architecture spec section 10 ("The single config file").
  */
@@ -22,10 +22,15 @@ data class VibeErpProperties(
 )
 data class InstanceProperties(
-    /** "self-hosted" or "hosted". Self-hosted single-customer is the v0.1 default. */
-    val mode: String = "self-hosted",
-    /** Tenant id used when [mode] is "self-hosted". Always "default" unless overridden. */
-    val defaultTenant: String = "default",
+    /**
+     * Display name of the company that owns this instance.
+     *
+     * vibe_erp is single-tenant per instance: one running process serves
+     * exactly one company against an isolated database. The company name
+     * appears in branding, report headers, and audit logs. Provisioning a
+     * second customer means deploying a second instance with its own DB.
+     */
+    val companyName: String = "vibe_erp instance",
     /** External base URL of this instance, used for absolute links and OIDC. Optional. */
     val baseUrl: String? = null,
 )
+package org.vibeerp.platform.bootstrap.web
+
+import org.slf4j.LoggerFactory
+import org.springframework.http.HttpStatus
+import org.springframework.http.ProblemDetail
+import org.springframework.web.bind.annotation.ExceptionHandler
+import org.springframework.web.bind.annotation.RestControllerAdvice
+import java.time.Instant
+
+/**
+ * Process-wide exception → HTTP status translator.
+ *
+ * The framework has two principles for failure mapping:
+ *
+ *   1. **Expected failures get a typed status code.** A duplicate username,
+ *      a missing entity, an invalid argument — these are part of normal
+ *      business flow and should never surface as a 500. Mapping them here
+ *      keeps every PBC controller free of try/catch noise.
+ *
+ *   2. **Unexpected failures stay 500.** Anything not handled below is a
+ *      real bug or an infrastructure failure (DB down, NPE, …) — those
+ *      need to be logged with a stack trace and surfaced as a generic
+ *      "internal error" so an operator can pick them up from the logs.
+ *
+ * The response shape uses Spring's `ProblemDetail` (RFC 7807), which is
+ * what every modern API client and OpenAPI tool understands out of the box.
+ */
+@RestControllerAdvice
+class GlobalExceptionHandler {
+
+    private val log = LoggerFactory.getLogger(GlobalExceptionHandler::class.java)
+
+    /**
+     * `require(...)` failures and explicit `IllegalArgumentException` from
+     * domain code map to 400 Bad Request. Domain code uses these for
+     * "the caller asked for something that does not make sense" — invalid
+     * combinations, duplicate keys, malformed inputs the JSR-380 validation
+     * layer didn't catch.
+     */
+    @ExceptionHandler(IllegalArgumentException::class)
+    fun handleIllegalArgument(ex: IllegalArgumentException): ProblemDetail =
+        problem(HttpStatus.BAD_REQUEST, ex.message ?: "invalid argument")
+
+    /**
+     * Domain-layer "I asked for X but it isn't here" → 404 Not Found.
+     * Application services use `NoSuchElementException` consistently for
+     * this; mapping it here keeps controllers from manually wrapping every
+     * `findById().orElseThrow { ... }` in a try/catch.
+     */
+    @ExceptionHandler(NoSuchElementException::class)
+    fun handleNotFound(ex: NoSuchElementException): ProblemDetail =
+        problem(HttpStatus.NOT_FOUND, ex.message ?: "not found")
+
+    /**
+     * Last-resort fallback. Anything not handled above is logged with a
+     * full stack trace and surfaced as a generic 500 to the caller. The
+     * detail message is intentionally vague so we don't leak internals.
+     */
+    @ExceptionHandler(Throwable::class)
+    fun handleAny(ex: Throwable): ProblemDetail {
+        log.error("Unhandled exception bubbled to GlobalExceptionHandler", ex)
+        return problem(HttpStatus.INTERNAL_SERVER_ERROR, "internal error")
+    }
+
+    private fun problem(status: HttpStatus, message: String): ProblemDetail =
+        ProblemDetail.forStatusAndDetail(status, message).apply {
+            setProperty("timestamp", Instant.now().toString())
+        }
+}
-package org.vibeerp.platform.bootstrap.web
-
-import jakarta.servlet.FilterChain
-import jakarta.servlet.http.HttpServletRequest
-import jakarta.servlet.http.HttpServletResponse
-import org.springframework.boot.context.properties.ConfigurationProperties
-import org.springframework.core.Ordered
-import org.springframework.core.annotation.Order
-import org.springframework.stereotype.Component
-import org.springframework.web.filter.OncePerRequestFilter
-import org.vibeerp.api.v1.core.TenantId
-import org.vibeerp.platform.persistence.tenancy.TenantContext
-
-/**
- * HTTP filter that binds the request's tenant id to [TenantContext] for the
- * duration of the request and clears it on the way out.
- *
- * Lives in `platform-bootstrap` (not `platform-persistence`) because the
- * persistence layer must not depend on the servlet API or Spring Web — that
- * would couple JPA code to HTTP and forbid running PBCs from background
- * jobs or message consumers.
- *
- * Resolution order:
- *   1. `X-Tenant-Id` header (used by trusted internal callers and tests)
- *   2. `tenant` claim on the JWT (production path, once auth is wired up)
- *   3. The configured fallback tenant when running in self-hosted single-tenant mode
- *
- * The third path is what makes self-hosted single-customer use the SAME
- * code path as hosted multi-tenant: the request always sees a tenant in
- * `TenantContext`, the only difference is whether it came from the JWT
- * or from configuration. PBC code never branches on `mode`.
- */
-@Component
-@Order(Ordered.HIGHEST_PRECEDENCE + 10)
-class TenantResolutionFilter(
-    private val tenancyProperties: TenancyProperties,
-) : OncePerRequestFilter() {
-
-    override fun doFilterInternal(
-        request: HttpServletRequest,
-        response: HttpServletResponse,
-        filterChain: FilterChain,
-    ) {
-        val tenantId = resolveTenant(request)
-        TenantContext.runAs(tenantId) {
-            filterChain.doFilter(request, response)
-        }
-    }
-
-    private fun resolveTenant(request: HttpServletRequest): TenantId {
-        val header = request.getHeader("X-Tenant-Id")
-        if (header != null && header.isNotBlank()) {
-            return TenantId(header)
-        }
-        // TODO(v0.2): read JWT 'tenant' claim once pbc-identity ships auth.
-        return TenantId(tenancyProperties.fallbackTenant)
-    }
-}
-
-@Component
-@ConfigurationProperties(prefix = "vibeerp.tenancy")
-data class TenancyProperties(
-    /**
-     * Tenant id to use when no header or JWT claim is present.
-     * Defaults to "default" — the canonical id for self-hosted single-tenant.
-     */
-    var fallbackTenant: String = "default",
-)
@@ -2,12 +2,11 @@ package org.vibeerp.platform.persistence.audit
 import jakarta.persistence.Column
 import jakarta.persistence.EntityListeners
+import jakarta.persistence.Id
 import jakarta.persistence.MappedSuperclass
 import jakarta.persistence.PrePersist
 import jakarta.persistence.PreUpdate
 import jakarta.persistence.Version
-import org.hibernate.annotations.TenantId
-import org.vibeerp.platform.persistence.tenancy.TenantContext
 import java.time.Instant
 import java.util.UUID
@@ -16,10 +15,16 @@ import java.util.UUID
  *
  * Provides, for free, on every business table:
  *   • `id` (UUID primary key)
- *   • `tenant_id` (multi-tenant discriminator, NOT NULL, never written manually)
  *   • `created_at`, `created_by`, `updated_at`, `updated_by` (audit columns)
  *   • `version` (optimistic-locking column for safe concurrent edits)
  *
+ * **Single-tenant per instance.** vibe_erp is a single-tenant framework: one
+ * running process serves exactly one company against an isolated database.
+ * There is no `tenant_id` column on this superclass and no tenant filtering
+ * anywhere in the platform. Hosting multiple customers means provisioning
+ * multiple instances, not multiplexing them in one process — see CLAUDE.md
+ * guardrail #5 for the rationale.
+ *
  * **What this is NOT:**
  *   • This is INTERNAL to the platform layer. PBC code that lives in
  *     `pbc-*` extends this directly, but plug-ins do NOT — plug-ins extend
@@ -34,21 +39,10 @@ import java.util.UUID
 @EntityListeners(AuditedJpaEntityListener::class)
 abstract class AuditedJpaEntity {
+    @Id
     @Column(name = "id", updatable = false, nullable = false, columnDefinition = "uuid")
     open var id: UUID = UUID.randomUUID()
-    /**
-     * Tenant discriminator. Hibernate's `@TenantId` makes this column the
-     * automatic filter for every query and save: the value is sourced from
-     * `HibernateTenantResolver`, which in turn reads `TenantContext`. PBC
-     * code MUST NOT write to this property directly — the JPA listener
-     * fills it in on `@PrePersist`. Attempting to set it to a value other
-     * than the current tenant before save throws (see [AuditedJpaEntityListener]).
-     */
-    @TenantId
-    @Column(name = "tenant_id", updatable = false, nullable = false, length = 64)
-    open var tenantId: String = ""
-
     @Column(name = "created_at", updatable = false, nullable = false)
     open var createdAt: Instant = Instant.EPOCH
@@ -67,11 +61,11 @@ abstract class AuditedJpaEntity {
 }
 /**
- * JPA entity listener that fills in tenant id and audit columns at save time.
+ * JPA entity listener that fills in audit columns at save time.
  *
- * Reads tenant from `TenantContext` (set by an HTTP filter) and the principal
- * from a yet-to-exist `PrincipalContext` — for v0.1 the principal is hard-coded
- * to `__system__` because pbc-identity's auth flow lands in v0.2.
+ * Reads the principal from a yet-to-exist `PrincipalContext` — for v0.1 the
+ * principal is hard-coded to `__system__` because pbc-identity's auth flow
+ * lands in v0.2.
  */
 class AuditedJpaEntityListener {
@@ -79,21 +73,7 @@ class AuditedJpaEntityListener {
     fun onCreate(entity: Any) {
         if (entity is AuditedJpaEntity) {
             val now = Instant.now()
-            val tenant = TenantContext.currentOrNull()
-                ?: error("Cannot persist ${entity::class.simpleName}: no tenant in context")
-
-            // Defense against the "buggy caller pre-set tenantId to the wrong
-            // value" failure mode flagged in the v0.1 acceptance review. Silent
-            // overwrite would mask a real bug; throwing here surfaces it.
-            if (entity.tenantId.isNotBlank() && entity.tenantId != tenant.value) {
-                error(
-                    "Cannot persist ${entity::class.simpleName}: entity tenantId='${entity.tenantId}' " +
-                        "but current TenantContext is '${tenant.value}'. Cross-tenant write attempt?"
-                )
-            }
-
             val principal = currentPrincipal()
-            entity.tenantId = tenant.value
             entity.createdAt = now
             entity.createdBy = principal
             entity.updatedAt = now
-package org.vibeerp.platform.persistence.tenancy
-
-import org.hibernate.context.spi.CurrentTenantIdentifierResolver
-import org.springframework.stereotype.Component
-
-/**
- * Hibernate hook that returns the tenant id for the current Hibernate session.
- *
- * Wired into Hibernate via `spring.jpa.properties.hibernate.multiTenancy=DISCRIMINATOR`
- * (set in platform-persistence's auto-config). Hibernate then automatically
- * filters every query and every save by tenant — the application code never
- * writes `WHERE tenant_id = ?` manually.
- *
- * This is the FIRST of two walls against cross-tenant data leaks. The
- * SECOND wall is Postgres Row-Level Security policies on every business
- * table, applied by `RlsTransactionHook` on every transaction. A bug in
- * either wall is contained by the other; both walls must be wrong at
- * the same time for a leak to occur.
- *
- * Reference: architecture spec section 8 ("Tenant isolation").
- */
-@Component
-class HibernateTenantResolver : CurrentTenantIdentifierResolver<String> {
-
-    override fun resolveCurrentTenantIdentifier(): String =
-        TenantContext.currentOrNull()?.value
-            // We return a sentinel rather than throwing here because
-            // Hibernate calls this resolver during schema validation at
-            // startup, before any HTTP request has set a tenant.
-            ?: "__no_tenant__"
-
-    override fun validateExistingCurrentSessions(): Boolean = true
-}
-package org.vibeerp.platform.persistence.tenancy
-
-import org.vibeerp.api.v1.core.TenantId
-
-/**
- * Per-thread holder of the current request's tenant.
- *
- * Set by an HTTP filter on the way in (from JWT claim, header, or
- * subdomain), read by Hibernate's tenant resolver and by Postgres RLS
- * via a `SET LOCAL` statement at the start of every transaction.
- *
- * **Why a ThreadLocal and not a request-scoped Spring bean?**
- * Hibernate's `CurrentTenantIdentifierResolver` is called from inside
- * the Hibernate session, which is not always inside a Spring request
- * scope (e.g., during background jobs and event handlers). A ThreadLocal
- * is the lowest common denominator that works across all those code paths.
- *
- * **For background jobs:** the job scheduler explicitly calls
- * [runAs] to bind a tenant for the duration of the job, then clears it.
- * Never let a job thread inherit a stale tenant from a previous run.
- */
-object TenantContext {
-
-    private val current = ThreadLocal<TenantId?>()
-
-    fun set(tenantId: TenantId) {
-        current.set(tenantId)
-    }
-
-    fun clear() {
-        current.remove()
-    }
-
-    fun currentOrNull(): TenantId? = current.get()
-
-    fun current(): TenantId =
-        currentOrNull() ?: error(
-            "TenantContext.current() called outside a tenant-bound scope. " +
-                "Either an HTTP filter forgot to set the tenant, or a background job " +
-                "is running without explicitly calling TenantContext.runAs(...)."
-        )
-
-    /**
-     * Run [block] with [tenantId] bound to the current thread, restoring
-     * the previous value (which is usually null) afterwards.
-     */
-    fun <T> runAs(tenantId: TenantId, block: () -> T): T {
-        val previous = current.get()
-        current.set(tenantId)
-        try {
-            return block()
-        } finally {
-            if (previous == null) current.remove() else current.set(previous)
-        }
-    }
-}